Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

NPM Fails Worldwide With 'ERR! 418 I'm a Teapot' Error (bleepingcomputer.com) 124

Catalin Cimpanu, writing for BleepingComputer: Users of the NPM JavaScript package manager were greeted by a weird error yesterday evening, as their consoles and applications spewed a message of "ERR! 418 I'm a teapot" whenever they tried to update or install a new JavaScript/Node.js package. JavaScript developers from all over the world received the error, and not just in certain geographical regions. The bug did not affect all users, but only those behind a proxy server.
This discussion has been archived. No new comments can be posted.

NPM Fails Worldwide With 'ERR! 418 I'm a Teapot' Error

Comments Filter:
  • by Zephyn ( 415698 ) on Tuesday May 29, 2018 @12:21PM (#56693624)

    How many people saw that error message and thought to themselves, "This Internet of Things concept is getting way out of hand."

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      The 418 code was an April 1st joke, it really should not be in the codebase of any serious web application...

      • by Lunix Nutcase ( 1092239 ) on Tuesday May 29, 2018 @01:16PM (#56694020)

        Well then good news. NPM isn’t a serious web application. It’s an amateur hour piece of software.

        • Re:You gotta wonder (Score:4, Interesting)

          by rahvin112 ( 446269 ) on Tuesday May 29, 2018 @02:22PM (#56694386)

          Yet it's used directly by millions of people every day and with major applications. This is the problem with these hosted javascript scripts that people plug into their websites willy nilly. They are a shitshow where someone could gain access and plug malware into millions of websites and is a single point of failure. Not even going to touch the shitty programming parent alludes too. Anyone thinking of using this shit should pull copies and check it for security and code quality and host it on their own servers rather than just point to the script and load it dynamically.

          But that would be hard and who cares if it's hard. Funny thing is we just went through this a couple months ago when one of these major scripts hosting went down and it disabled 1/4 of the internet. You'd think people would learn from that.

        • by Carewolf ( 581105 ) on Tuesday May 29, 2018 @07:41PM (#56696294) Homepage

          Well then good news. NPM isn’t a serious web application. It’s an amateur hour piece of software.

          No it is obviously a teapot.

      • So I guess Google is not a serious web application then.

        http://www.google.com/teapot [google.com]

    • Re:You gotta wonder (Score:5, Informative)

      by arth1 ( 260657 ) on Tuesday May 29, 2018 @01:01PM (#56693912) Homepage Journal

      If you saw the error message, you used a command line interface with a proxy server, and thus were likely tech savvy. And then chances are you'd know about the 418 error code and RFC2324 [ietf.org]. It's 20 years old now, preceding IOT by quite a bit.

    • It's nothing compared to "YouTube error 583, I'm a giraffe" [youtube.com], which has affected 1.2 million users.

    • No real nerds fail to understand the meaning behind error 418, but the beasts will never understand.
    • by gweihir ( 88907 )

      Better than "lp0 on fire", now that might wake a few people up. Unfortunately, AFAIK, there is no HTTP error code for that.

  • by Anonymous Coward on Tuesday May 29, 2018 @12:22PM (#56693632)

    Short and Stout!

  • by jellomizer ( 103300 ) on Tuesday May 29, 2018 @12:25PM (#56693668)

    I like to download my Javascript Framework and have it linked to the internal web-server.
    Just for the sake that I don't want an extra point of failure. (Like this) Then you have a to worry about if the bigger target site got hacked and altered the Node.js file to do some nasty stuff from the file.

    Other then getting updates automatic. What is the point?

    • by El Cubano ( 631386 ) on Tuesday May 29, 2018 @12:48PM (#56693812)

      I like to download my Javascript Framework and have it linked to the internal web-server.

      That is not old school. It is the difference between being an amateur programmer and a professional software developer/engineer. To be clear, deploying anything meaninfgul into production based on drawing dependencies form a source which do not trust or directly control is an amateur move.

      For anything more complex than school/hobby project, and for every professional project, I make it a point to ensure the stability and availability of the dependencies. In some cases that might be as simple as ensuring the libraries are available and suitable as is in the Linux distro package repo (I generally trust Debian, RHEL, and Suse for stuff like this). In the case where the packages are not available or they are only available from a potentially unreliable source (Fedora, NPM, CPAN, Maven central, RubyForge, etc.) I make sure to make a local copy (either stand up my own repository or incorporate the depednecny into source control directly). That way I can be assured that the dependency continues to be available to and working when I need.

      Granted, doing that means that one accepts the burden/responsibility of keeping the depedency up to date and tracking the vendor/upstream security advisories. But then, that is why (good) software developers/engineers get paid well.

      • by TheDarkMaster ( 1292526 ) on Tuesday May 29, 2018 @02:30PM (#56694444)
        This. Oh boy, this. I'm fucking sick of seeing all these websites developed in this completely amateur way using javascripts files from several external sources to the site itself where each of them is a potential source of problems and security breaches, and this is not to mention the cases where these scripts call other scripts from other sites that in turn also call other scripts in a lunatic chain of operations to do things that should be contained within the original site.
      • "But then, that is why (good) software developers/engineers get paid well."
        Of course your bosses who get paid better will tell you to do it the stupid way, because they don't want to accept risk. They much rather see the customers not be able to work and have someone else to blame. Then have an overall higher update, but take blame when there is an issue.

      • by HiThere ( 15173 )

        You make an interesting commentary on rust.

  • by Anonymous Coward

    It's never oolong before working in javascript stabs programmers right in the puer!

  • 418 is by far the best 400 code you can generate and it's hilarious!
  • by Anonymous Coward

    There was zero response (that I could see) from the NPM team until a maintainer locked the thread and chided commenters for repeating that they too were receiving the error. This is the third or fourth time there's been a major issue that screws people relying on npm, and if the team hasn't fixed the process by now, it might be good to find a different team that can.

    • If NPM users haven't learned by now they can't rely on that infrastructure, then maybe it's time to review your process. Live by the upstream, die by the upstream. Therefore I host my own upstream.

  • by Anonymous Coward

    It seems the more trivial the project, the more complex of a framework it requires.

    "Project Bang, requires Kong, to Compile Throng, to make lint to compile druffle to enable truffle to fluffle the socksifer."

    100s of Mbs of crap to compile some trivial program, sometimes even GBs of other crapware that will only be used once.

    This is why snaps and containers are awesome, I don't pollute my system with crap, and I can remove it at the drop of a hat.

    Whatever happened to "make"?

    Then again, I just answered my own

  • You wouldn't get that error if you made coffee. You can't make tea in a coffee pot!
  • by Gravis Zero ( 934156 ) on Tuesday May 29, 2018 @12:54PM (#56693854)

    This what happens when you model your software after a house of cards.

  • IIRC there was something wonky with their Github page a few months ago (maybe last year) that caused a bunch of trouble.
  • by iTrawl ( 4142459 ) on Tuesday May 29, 2018 @01:44PM (#56694166)

    Could have been: 419 I'm a Nigerian Prince.

  • Why does Javascript even need a repository? Between that, node.js and jquery, it's starting to look like someone has been reinventing the library stack with quickbasic at the foundation.

  • But then again, NPM and maintainers aren't known for being the brightest bulbs, either. I can think of four other times they've fucked up just in recent memory.

I've never been canoeing before, but I imagine there must be just a few simple heuristics you have to remember... Yes, don't fall out, and don't hit rocks.